Data Processing Addendum

^{Last updated: 06/05/2026}

This Data Processing Addendum (“DPA”) forms part of the agreement between Diglot OÜ (“Diglot”, “Processor”) and the customer entering into a B2B, team, or education contract for the Diglot Service (“Customer”, “Controller”). It sets out the terms on which Diglot processes personal data on the Controller’s behalf in line with Regulation (EU) 2016/679 (the “GDPR”), the UK GDPR, the Estonian Personal Data Protection Act, and other applicable data-protection laws.

This DPA does not apply when an individual signs up directly to Diglot for personal use — in that case Diglot is the controller, and the Privacy Policy governs.

By signing the underlying Diglot subscription agreement (or, where applicable, by clicking “I accept” on a B2B/education order form that incorporates this DPA), the Controller agrees to the terms below.

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. In particular, “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, “Sub-processor”, and “Personal Data Breach” have their GDPR meanings. “Service” means the Diglot platform as defined in the Terms of Service. “Customer Personal Data” means any Personal Data that Diglot processes on the Controller’s behalf in connection with the Service.

2. Roles and scope

For Customer Personal Data:

• the Controller is the Customer;
• the Processor is Diglot OÜ.

Diglot processes Customer Personal Data only on documented instructions from the Controller, as set out in the Terms of Service, this DPA, and any further written instructions the Controller gives consistent with this DPA. If applicable law requires Diglot to process data otherwise, Diglot will inform the Controller before doing so, unless the law forbids that notice on important grounds of public interest.

3. Subject matter, duration, nature, and purpose of processing

Subject matter	Provision of the Diglot writing-assistant Service (translation, grammar, paraphrasing, AI-Check, Cowriter, Authorship Certificate, plagiarism preview, related features).
Duration	For the term of the Customer’s subscription, plus the data-export window described in §10 and any retention required by law.
Nature	Hosting, storing, transmitting, displaying, indexing, computing on, and where applicable transmitting to AI sub-processors, the Customer Personal Data described in §4.
Purpose	Delivering the Service to the Controller and its authorised users; security, fraud prevention, and abuse mitigation; complying with law.
Categories of Data Subject	The Controller’s authorised end-users (e.g., employees, students, faculty); third parties whose personal data is included in documents the end-users upload.
Categories of Personal Data	Account data (name, email, role); user-generated content (drafts, prompts, edits, files); usage telemetry; opt-in Authorship telemetry (keystroke timing, edit cadence, paste events); device and log data; support communications.
Special categories	Diglot does not seek special-category data. The Controller agrees not to upload special-category data unless this DPA is supplemented by additional safeguards agreed in writing. The opt-in Authorship telemetry is treated under §6 below.

4. Controller’s obligations

The Controller represents that:

1. it has a valid lawful basis under the GDPR (or equivalent law) for the processing it instructs Diglot to perform;
2. it has provided required notices and obtained any required consents from Data Subjects (in particular, parents/guardians where required for users under the age of digital consent);
3. its instructions to Diglot — including those embedded in its configuration of the Service — comply with applicable law;
4. it does not upload, and does not allow its end-users to upload, personal data of identifiable individuals beyond what is necessary for the Service.

5. Diglot’s obligations

Diglot will:

1. Process only on instructions consistent with §2 and §3;
2. Confidentiality — ensure that everyone authorised to process Customer Personal Data is bound by confidentiality;
3. Security — implement and maintain the technical and organisational measures listed in Annex II (§13);
4. Sub-processors — engage Sub-processors only under §7;
5. Data Subject requests — assist the Controller per §8;
6. Audit and impact assessment — assist the Controller per §9;
7. Personal Data Breaches — notify the Controller per §11;
8. Return / deletion — return or delete Customer Personal Data per §10;
9. Information — make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR.

6. Authorship telemetry (special handling)

Where the Service’s Authorship Certificate feature is used, Diglot processes keystroke timing, paste events, and similar editor telemetry. Diglot considers this data potentially behavioural-biometric and therefore special-category-adjacent. Diglot processes Authorship telemetry only:

• where the end-user has given explicit, revocable consent in-product, and
• where the Controller has authorised the use of the Authorship Certificate feature on its tenant.

The Controller agrees to inform its end-users about Authorship telemetry as part of its own privacy notices.

7. Sub-processors

The Controller authorises Diglot to engage the Sub-processors listed at /subprocessors as of the effective date.

When Diglot intends to add or replace a Sub-processor, it will:

1. update the Subprocessors page;
2. give the Controller at least 30 days’ prior notice by email to the contacts on file;
3. give the Controller a reasonable opportunity to object on data-protection grounds. If the Controller objects in good faith and the parties cannot agree on an alternative within 30 days, the Controller may terminate the affected services.

Diglot enters into a written contract with each Sub-processor that imposes data-protection obligations equivalent to those in this DPA.

8. Data Subject requests

Taking into account the nature of the processing, Diglot will assist the Controller — via in-product tools where reasonable — to fulfil its obligations to respond to requests from Data Subjects exercising their rights under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making). If a Data Subject contacts Diglot directly, Diglot will not respond on the merits and will, where possible, redirect the Data Subject to the Controller and notify the Controller within 5 business days.

9. DPIAs and prior consultation

Diglot will provide the Controller with the information reasonably necessary to perform Data Protection Impact Assessments (Article 35 GDPR) and, where applicable, prior consultations with supervisory authorities (Article 36 GDPR), including security documentation, the up-to-date list of Sub-processors, and a summary of the safeguards applied to international transfers.

10. Return and deletion of Customer Personal Data

On termination or expiry of the subscription, Diglot will, at the Controller’s option:

• make the Customer Personal Data available for export in a structured, machine-readable format for 30 days, after which Diglot will delete it; or
• delete the Customer Personal Data immediately on the Controller’s instruction.

Diglot may retain copies of Customer Personal Data to the extent and for as long as required by applicable law (for example, security logs, audit trails, billing records). Such retained data remains subject to the confidentiality and security obligations of this DPA.

11. Personal Data Breach

Diglot will notify the Controller of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 48 hours of becoming aware of it. The notice will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and the measures taken or proposed to address it. Diglot will provide reasonable updates as the investigation continues. Diglot does not, by giving notice, accept any fault or liability for the breach.

12. International transfers

Some Sub-processors are located outside the European Economic Area. For each such transfer, Diglot will rely on one of the following safeguards:

• the EU-U.S. Data Privacy Framework (where the recipient is certified);
• the European Commission’s Standard Contractual Clauses (2021/914) in the appropriate Module;
• the UK International Data Transfer Addendum;
• another transfer mechanism approved under Article 46 GDPR.

Diglot maintains a Transfer Impact Assessment for each transfer and will provide a summary on request to legal@diglot.ai.

To the extent the Standard Contractual Clauses apply between the Controller and Diglot directly (as a back-to-back transfer), the Controller is the data exporter, Diglot is the data importer (Module Two: Controller-to-Processor), and the Clauses are incorporated by reference. Annex I of the Clauses is populated by the order form, this DPA §3, and the Subprocessors page; Annex II by §13 below.

13. Annex II — Technical and Organisational Measures

The current TOMs include:

• Encryption — TLS 1.2+ in transit; AES-256 at rest; column-level encryption (Supabase Vault / pgsodium) for sensitive fields where supported.
• Access control — RBAC and Row-Level Security in the database; mandatory MFA for all engineering access to production.
• Network security — Cloudflare WAF and DDoS protection; least-privilege firewall rules; private networking between application and database.
• Logging and monitoring — immutable audit logs (Supabase / Sentry) with anomaly alerts; security event review.
• Vulnerability management — automated dependency scanning; periodic third-party penetration testing.
• Backup and recovery — encrypted, region-redundant snapshots; documented RPO and RTO.
• People — confidentiality obligations on all personnel; security training for engineering staff.
• Sub-processor governance — written DPAs and security reviews before onboarding any Sub-processor.

The current detailed list is maintained in our internal Security Whitepaper, available under NDA on request.

14. Audits

The Controller may, on reasonable prior notice (at least 30 days, except in case of a regulator’s legitimate request), audit Diglot’s compliance with this DPA. To minimise disruption and protect other customers’ data, Diglot may, at its option, satisfy this obligation by providing:

• a current SOC 2 Type II report (when available), an ISO 27001 certificate, or an equivalent independent attestation;
• a recent third-party penetration-test executive summary;
• responses to a reasonable security questionnaire (HECVAT, SIG Lite, or similar);
• a written response to specific questions.

If those materials don’t reasonably satisfy the Controller’s obligations and the Controller still requires an on-site audit, the parties will agree the scope, time, and cost (which the Controller will bear unless a material non-compliance is found).

15. Liability

Each party’s liability under this DPA is subject to the liability cap and exclusions in the underlying Terms of Service / order form, except where mandatory law forbids that limitation.

16. Order of precedence

If there is a conflict between this DPA and the Terms of Service, this DPA prevails on data-protection matters. If there is a conflict between this DPA and the Standard Contractual Clauses (where they apply), the Standard Contractual Clauses prevail on transfer matters.

17. Changes

Diglot may update this DPA from time to time to reflect new sub-processors, new transfer mechanisms, or changes to law. Material changes will be communicated by email to the Controller at least 30 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

18. Contact

Diglot OÜ — Republic of Estonia. Data-protection contact: legal@diglot.ai. Estonian supervisory authority: Andmekaitse Inspektsioon — aki.ee.